The vulnerability identified as CVE-2026-32735 affects the Chrimle openapi-to-java-records-mustache-templates-parent project, specifically versions from 3.1.1 up to 3.5.1. This project facilitates generating Java Records from OpenAPI specifications and includes a parent POM file that centralizes plugin configurations for multiple unit-test modules. The parent POM uses the maven-dependency-plugin to unpack .mustache template files from the openapi-to-java-records-mustache-templates artifact of the same version. However, it lacks proper input validation (CWE-20), allowing the possibility that if the openapi-to-java-records-mustache-templates artifact were compromised to include malicious .mustache files, these files would be automatically unpacked during dependency updates. This could lead to the introduction of malicious code or configurations into the build process or development environment. The parent POM is not intended for external or production use but is published and accessible, increasing the risk surface. The vulnerability is mitigated in version 3.5.1 of the parent POM. The CVSS 4.0 score is 2.3 (low severity), reflecting that exploitation requires user interaction, no privileges, and does not impact confidentiality, integrity, or availability directly. No known exploits are currently reported in the wild. The issue highlights the risks of supply chain attacks and improper input validation in build tooling components.

The primary impact of this vulnerability is a potential supply chain risk where malicious .mustache template files could be introduced into the build environment if the openapi-to-java-records-mustache-templates artifact is compromised. This could lead to the execution of malicious code or injection of harmful configurations during the build or testing phases, potentially affecting software integrity and developer environments. However, since the parent POM is not intended for external or production use and the vulnerability requires user interaction (dependency update), the risk to production systems is limited. Organizations relying on this parent POM for external or production purposes may face increased risk of supply chain compromise, which could cascade into downstream applications. The low CVSS score reflects limited direct impact on confidentiality, integrity, or availability, but the indirect risks related to supply chain trust and build environment security remain relevant. No widespread exploitation is known, reducing immediate impact but underscoring the importance of secure dependency management.

1. Avoid using the openapi-to-java-records-mustache-templates-parent POM externally or in production environments, as it is intended solely for testing and maintainability. 2. Upgrade to version 3.5.1 or later of the openapi-to-java-records-mustache-templates-parent to ensure the vulnerability is patched. 3. Implement strict supply chain security practices, including verifying the integrity and authenticity of all dependencies and artifacts before use. 4. Use reproducible builds and artifact signing to detect unauthorized modifications in dependencies. 5. Monitor dependency updates carefully and restrict automated unpacking or execution of unpacked files unless verified. 6. Educate development teams about the risks of using testing or internal modules in production builds. 7. Employ tools that scan for known vulnerabilities in build configurations and dependencies to catch similar issues early. 8. Consider isolating build environments to limit the impact of any malicious code introduced via compromised dependencies.